Append identities rule and fix error catching (#1664)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -71,6 +71,7 @@ sub defaultValues {
         'httpOnly'                      => 1,
         'https'                         => -1,
         'impersonationHiddenAttributes' => '_2fDevices _loginHistory',
+        'impersonationIdRule'           => 1,
         'impersonationPrefix'           => 'real_',
         'impersonationRule'             => 0,
         'impersonationSkipEmptyValues'  => 1,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -1199,6 +1199,21 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
             'default' => '_2fDevices _loginHistory',
             'type'    => 'text'
         },
+        'impersonationIdRule' => {
+            'default' => 1,
+            'test'    => sub {
+                my ( $val, $conf ) = @_;
+                my $s = '';
+                'Safe'->new->reval("BEGIN { warnings->unimport; } $s $val");
+                my $err = join(
+                    '',
+                    grep( { $_ =~ /Undefined subroutine/ ? () : $_; }
+                        split( /\n/, $@, 0 ) )
+                );
+                return $err ? ( 1, "__badExpression__: $err" ) : 1;
+            },
+            'type' => 'text'
+        },
         'impersonationMergeSSOgroups' => {
             'default' => 0,
             'type'    => 'bool'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -457,6 +457,12 @@ sub attributes {
             default       => 0,
             documentation => 'Impersonation activation rule',
         },
+        impersonationIdRule => {
+            type          => 'text',
+            test          => $perlExpr,
+            default       => 1,
+            documentation => 'Impersonation identity rule',
+        },
         impersonationHiddenAttributes => {
             type          => 'text',
             default       => '_2fDevices _loginHistory',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -653,6 +653,7 @@ sub tree {
                             form  => 'simpleInputContainer',
                             nodes => [
                                 'impersonationRule',
+                                'impersonationIdRule',
                                 'impersonationPrefix',
                                 'impersonationHiddenAttributes',
                                 'impersonationSkipEmptyValues',

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -288,6 +288,7 @@
 "https":"إتش تي تي بي س",
 "impersonation":"Impersonation",
 "impersonationRule":"Use rule",
+"impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationPrefix":"Real attributes prefix",

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -288,6 +288,7 @@
 "https":"HTTPS",
 "impersonation":"Impersonation",
 "impersonationRule":"Use rule",
+"impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationPrefix":"Real attributes prefix",

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -288,6 +288,7 @@
 "https":"HTTPS",
 "impersonation":"Impersonation",
 "impersonationRule":"Use rule",
+"impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationPrefix":"Real attributes prefix",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -288,6 +288,7 @@
 "https":"HTTPS",
 "impersonation":"Usurpation d'identité",
 "impersonationRule":"Règle d'utilisation",
+"impersonationIdRule":"Règle d'utilisation des identités",
 "impersonationHiddenAttributes":"Attributs masqués",
 "impersonationMergeSSOgroups":"Fusionner les groupes SSO réels et usurpés",
 "impersonationPrefix":"Préfix des vrais attributs",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -288,6 +288,7 @@
 "https":"HTTPS",
 "impersonation":"Impersonation",
 "impersonationRule":"Use rule",
+"impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationPrefix":"Real attributes prefix",

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -288,6 +288,7 @@
 "https":"HTTPS",
 "impersonation":"Impersonation",
 "impersonationRule":"Use rule",
+"impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationPrefix":"Real attributes prefix",

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -288,6 +288,7 @@
 "https":"HTTPS",
 "impersonation":"Impersonation",
 "impersonationRule":"Use rule",
+"impersonationIdRule":"Identities use rule",
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationPrefix":"Real attributes prefix",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm

@@ -13,7 +13,8 @@ extends 'Lemonldap::NG::Portal::Main::Plugin';
 
 use constant endAuth => 'run';
 
-has rule => ( is => 'rw', default => sub { 1 } );
+has rule   => ( is => 'rw', default => sub { 1 } );
+has idRule => ( is => 'rw', default => sub { 1 } );
 
 sub hAttr {
     $_[0]->{conf}->{impersonationHiddenAttributes} . ' '
@@ -22,11 +23,11 @@ sub hAttr {
 
 sub init {
     my ($self) = @_;
+    my $hd = $self->p->HANDLER;
 
     # Parse activation rule
-    my $hd = $self->p->HANDLER;
     $self->logger->debug(
-        "impersonation rule -> " . $self->conf->{impersonationRule} );
+        "Impersonation rule -> " . $self->conf->{impersonationRule} );
     my $rule =
       $hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) );
     unless ($rule) {
@@ -34,6 +35,19 @@ sub init {
         return 0;
     }
     $self->{rule} = $rule;
+
+    # Parse identity rule
+    $self->logger->debug( "Impersonation identity rule -> "
+          . $self->conf->{impersonationIdRule} );
+    $rule =
+      $hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
+    unless ($rule) {
+        $self->error(
+            "Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
+        return 0;
+    }
+    $self->{idRule} = $rule;
+
     return 1;
 }
 
@@ -74,6 +88,9 @@ sub run {
     }
     $req->{user} = $spoofId;
     $spoofSession = $self->_userDatas($req);
+
+    return $req->error if $req->error;
+
     $spoofSession->{groups} ||= '';
 
     # Merging SSO groups and hGroups & Dedup
@@ -133,6 +150,18 @@ sub _userDatas {
         $self->logger->debug("Process returned error: $error");
         return $req->error($error);
     }
+
+    # Check identity rule
+    unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
+        $self->userLogger->warn(
+                'Impersonation requested for an unvalid user ('
+              . $req->{user}
+              . ")" );
+
+        $self->logger->debug('Identity not authorized');
+        return $req->error(PE_BADCREDENTIALS);
+    }
+
     $self->logger->debug("Populating spoofed session...");
     return $req->{sessionInfo};
 }